Alvaro Folgado identified several security issues in Publify that are fixed in this release:

Rails’ protection from CSRF was not active for all actions. This was fixed.

Devise’ password recovery feature was configured to behave differently for existing and non-existing email addresses. This has been changed to use Devise’ ‘paranoid’ mode.

Publify was vulnerable to CVE-2016–3714, a vulnerability in ImageMagick, on servers that have affected versions of ImageMagick installed. It now checks the mime type of uploaded files based on their content before processing with ImageMagick.

Publify used Rails’ cookie session store, making it possible to effectively log back in by using an older value of the session cookie. Publify now stores the session data in the database.

The blog name was not properly escaped in the views used for Devise.

Additionally, the following small bugs were fixed:

There was an error on the sign-in due to the use of a deprecated method in Devise.

This release brings a lot of small changes and a few big ones under the hood. The big ones shouldn’t really change anything from a functional standpoint right now, but they will allow some new possibilities and directions in the future. Enough with the vague words, here is a list of large or breaking changes:

Make Publify multiblog-ready: All models should now be directly or indirectly linked to a blog, opening the way for finally supporting multiple blogs in some form. What form? That is still up for debate, but you can join the discussion in the GitHub ticket.

Replace custom Publify authentication system with Devise. This just gives use less code to maintain ourselves.

Replace custom Publify authorization system with CanCanCan. As with Devise, it’s better to use a well-maintained gem for this.

That was fast! Only 3 days after Publify 8.0.2 went live, we’re pushing a new 8.1.0 version.

This version does one thing: it migrates Publify from Rails 3.2 to 4.1.

It does not seem a lot, but there was actually a tremendous work from Matijs and Thomas to make it possible.

You may not be aware of it, but Publify is as old as open source Rails itself, and not only did they make our old code work under the latest version of our favorite framework, but they also modernized huge parts of our code.

It’s now time for them to take some rest, and for us to pick up the feature we want to see in the next version. Stay tuned!

We’re thrilled to announce the release of Publify 8.0.2. This is the last release before we migrate to Rails 4, and mostly a bug fix one. It fixes a denial of service security breach, so we highly recommend updating.

As usual, we want to thank our contributors. For this release, they are Alexander Markov, Benoit C. Sirois, Hans de Graaff, Soon Van, Tor Helland and Nicolas Bianco.

CVE-2014-3211

Très Acton has discovered a risk of denial of service by memory exhaustion in the way Publify comments user input are parsed.

Other squashed bugs

#423 , #474: When using the more tag, articles content is displayed twice.

#428 The editor save bar jumps up and down when typing with inconsistent behavior.

Simpler, better, faster

Last summer, we started to rethink what we wanted Publify to be. At a time where online publishing is more or less split between Wordpress, hosted platforms and static engines, being “only” a blogging platform had no meaning anymore. We started to extend publishing capabilities, choosing Twitter pushed short notes as a first step before we add more content type. This led to Publify 7.0, and once again we knew it was the way to go.

Before adding these feature, we wanted Publify 8.0 to rebuild the whole user experience. It had to be simpler, clearer and better, far from the MS Word 97 style that prevails in Web publishing since more than 10 years.

This meant a simpler interface with a single, smaller menu, getting out of the old create / read / update / delete scheme when possible, merging some sections and finally removing lots of things. This also means using the most of large screens capabilities, using responsive layouts as much as we could, even though it made the job more difficult at some point.

The editor, it has been completely revamped, following the way opened by both Medium and Ghost. We’ve pushed aside everything that may distract you from writing. The editor goes fullscreen, and you can even pick up a white or dark background at your convenience. The post settings are 1 click away from the editor so you won’t feel lost anyway. We know how much work is left to get a really classy tool, but we’re working on it.

The notes have got improvement. When replying to a tweet, Publify now displays the original tweet so readers can keep the context this was done.

Users profiles have been improved to. Each user now has its own detailed page with avatar, contact links, short bio and indeed the published content.

Missing in action

The old categories VS tags separation is no more. We merged the first into the seconds as a strict categorization has no real meaning on most blogs. Don’t worry about your URLs, we took care of everything, eventually creating the redirects you needed.

The excerpt has been removed. Excerpt was meant to display a different content on the listing page and on the post itself. It was an interesting feature, but only a handful of people, if none was using it, and it made the editor more complicated than necessary.

The old Typographic theme is not part of the core anymore. It has moved to its own project and will still be maintained.

The old XMLRPC backend has been discontinued. This means Publify does not support desktop clients anymore. This choice has been motivated by the fact that the APIs it was relying had not been updated for 10 years, and that most desktop editors are not maintained anymore either. Web browsers capabilities have evolved, and you can now have a fairly decent editor with local saving without the need of a desktop application.

Under the hood

Publify has been around for 9 years now. Rails was not 1.0 yet, and some of our code was older than you can ever imagine.

Publify 8.0 got rid of most of that legacy code. The old Prototype based helpers that made Rails famous back then left the building. Prototype itself has finally been replaced by Jquery, and Rails i18n allowed the Globalize based translation system to enjoy a deserved retirement. Most helpers have been removed too, as most of them were only used in one place.

This should not affect you unless you’re running custom themes and plugins. If so, have a look at the Bootstrap theme to see how we’re now working.

That’s all folks, you can now download Publify, or give it a try on our demo platform.

Published on 02/03/2014 at 16h47 by Frédéric de Villamil, tags release